A Chinese hacking group has continued to target phone and wireless providers around the world, compromising devices tied to seven telecommunications companies since February, according to a bulletin that a cybersecurity company recently sent to clients.
In the past five months, the Chinese state-sponsored hacking group widely referred to as Salt Typhoon has breached network devices at locations on the internet that are owned by the seven companies, including the American telecom and media firm Comcast Corp., South Africa’s MTN Group Ltd. and South Korea’s LG Uplus Corp., the report from cybersecurity firm Recorded Future Inc. shows. Bloomberg News reviewed the report under the condition that certain companies aren’t named.
The report says the compromised devices likely belong to the seven companies’ clients and doesn’t say the telecommunications firms were breached.
Nonetheless, it shows the hackers’ persistent efforts to infiltrate communications firms and their customers globally — and their success at penetrating the types of devices that have offered paths into organizations’ networks in the past. In November, US officials accused the group of a “broad and significant cyber-espionage campaign” that had breached telecommunications companies and targeted the phones of prominent politicians, including then presidential candidate Donald Trump.
Hackers have previously compromised seemingly innocuous hardware — such as routers, switches and other so-called edge devices — and used that access to launch other, more compromising attacks. Such equipment tends to run on infrastructure owned by telecommunications companies, even while those firms’ clients are often the hackers’ real targets, said Pete Renals of the cybersecurity firm Palo Alto Networks Inc.
Comcast said the hacked equipment belongs to a client, that it investigated and that its own network wasn’t impacted. LG Uplus also said the breached device was owned by a client and the issue wasn’t related to its internal systems. MTN said it hadn’t detected any cyberattack by the group of hackers.
A representative of the Chinese Embassy in Washington emphasized in a statement the difficulty of determining the origins of hacks. Despite issuing sanctions, the US government has “been unable to produce conclusive and reliable evidence” that the Chinese government was behind the breaches blamed on Salt Typhoon, said embassy spokesperson Liu Pengyu.
“We hope that relevant parties will adopt a professional and responsible attitude when characterizing cyber incidents, basing their conclusions on sufficient evidence rather than unfounded speculation and accusations,” he said.
Read More: Chinese Hacked US Telecom a Year Before Known Wireless Breaches
After hackers compromised network hardware at internet addresses owned by the communications companies, researchers at Recorded Future tracked those devices “communicating” with computer systems used by the intruders, according to the report. It doesn’t elaborate on the substance or extent of those communications, though Jonathan Luff, chief of staff at Recorded Future, said the hackers’ ultimate objective was “to use this initial access as a launchpad to pivot into the sensitive, internal core of telecommunications networks.”
Salt Typhoon “continues to methodically target devices within telecommunications networks to potentially gain access to the providers’ internal systems,” Luff said in an email. The group “remains a serious and significant threat to US and global telecommunications networks, putting sensitive information and communications at risk,” he said.
The hackers spent the winter and spring of this year scouring the internet to identify hundreds of potentially vulnerable devices in countries all over the world, according to Recorded Future. They then used old, unpatched cybersecurity vulnerabilities to break into some of them, according to the report.
Over the past few months, the Salt Typhoon hackers have shifted their strategy to broadly target such devices around the world, said Renals, of Palo Alto Networks.
“The targeting and compromise of telecommunications companies has a direct impact on the everyday lives of citizens as these networks are foundational to modern society,” said Renals, senior manager for national security programs at the cybersecurity company’s Unit 42. “Salt Typhoon’s recent shift towards indiscriminate targeting of vulnerable network edge devices is equally concerning.”
A representative of LG Uplus, which is owned by LG Corp., declined to identify the client who owned the compromised device but said the company guided them “to ensure appropriate measures are taken” in April. The device wasn’t related to the South Korean wireless carrier’s internal systems, said the spokesperson, Sungmin Park.
“We have found no evidence of any further hacking attempts targeting our company in relation to this incident,” Park said.
Comcast spokesperson Joel Shadle said the Philadelphia-based company conducted its own investigation, worked with government investigators and “found no evidence that Salt Typhoon has impacted Comcast.”
The compromised device associated with an MTN internet address was in Ghana, according to the Recorded Future report. MTN, which is Africa’s largest mobile network operator, didn’t answer questions beyond saying it hadn’t detected a cyberattack by Salt Typhoon.
The group’s latest hacking attempts continue a campaign that US officials disclosed last year that compromised AT&T Inc., Verizon Communications Inc. and at least seven other American telecommunications companies. In those breaches, the hackers vacuumed up the personal data of millions of Americans and targeted the phones of then candidate Trump, his running mate JD Vance and then-Vice President Kamala Harris.
Andrew Reddie, a professor at the University of California, Berkeley, said Chinese government-backed hackers’ pattern of targeting telecommunications companies allows them to collect intelligence and “maintain persistent access in the event of a future crisis.”
Photograph: An ethernet cable connects a router device inside a communications room at an office in London, U.K., on Monday, May 15, 2017. Photo credit: Chris Ratcliffe/Bloomberg
Was this article valuable?
Here are more articles you may enjoy.
FEMA Flood Maps Often Miss Flash Flood Risks, Leaving Homeowners Unprepared 
Nursing Homes Struggle With Trump’s Immigration Crackdown 
First-Half 2025 Insured Losses From Natural Cats Hit $100B, Driven by US Events 
Louisiana Insurers Must Disclose Prior Policy Premiums Under Controversial New Law 
